[squid-users] [SOLVED] Transparent HTTPS Squid proxy with upstream parent
Michael Ludvig
michael.ludvig at enterpriseit.co.nz
Tue Nov 24 22:34:31 UTC 2015
On 24/11/15 18:26, Amos Jeffries wrote:
> That is two separate and entirely different traffic types:
>
> A) [client] -> HTTP--(NAT)--> [my_proxy]
>
> B) [client] -> TLS--(NAT)--> [my_proxy]
>
>
> (A) requires "http_port ... intercept ssl-bump cert=/path/to/cert"
>
> (B) requires "https_port ... intercept ssl-bump cert=/path/to/cert"
>
> above is the minimum configuration. The generate-* etc settings you
> mention below are useful as well.
>
> In order to impersonate the server you also need to fetch the server
> details (peek or stare at step2), then bump at step3.
Yay, that seems to work! Here is the working config for [my_proxy]:
====
http_port 3128
http_port 8080 intercept
https_port 8443 intercept ssl-bump generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/my-proxy.pem
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
#ssl_bump peek step1 # <- enabling this breaks it
ssl_bump stare step2
ssl_bump bump step3
cache_peer parent.example.com parent 3129 0 no-query ssl
never_direct allow all
====
And two iptables rules:
iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports 8080
iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT
--to-ports 8443
Now the clients can either go explicitly to proxy on port 3128 or those
who don't support setting proxy have [my_proxy] as their default gateway
and the transparent proxy setup kicks in.
Thanks a lot Amos for your help!
Michael
More information about the squid-users
mailing list